Aug 28, 2016 · All Bug Bounty POC write ups by Security Researchers. Link the unofficial HackerOne disclosure timeline. (HackerOne Reports) Link Public Pentest reports : Link 24. Where to go next? Blogs to Follow: BugCrowd Blog HackerOne Blog Jack Whitton’s Blog Hack 2 Learn. Master the art of Cross Site Scripting.
XSS To use cookie stored messages in an xss attack, the attacker would have to know the site's secret key, because if the hash doesn't match the cookie backend discards the messages. Putting user input into an un-escaped output always has the possibility to open up an xss hole, but no more here than in any other feature.